[Snort-users] Error getting during snort installation steps on windows (Not able to run snortstart.bat file)

Sadanand Ghagare sadanandgh at ...11827...
Fri May 22 10:56:53 EDT 2009


thanx Brian,

after making snort.conf entry, kiwi can able to pickup the snort output.


cheers,
Sadanand

On Thu, May 21, 2009 at 10:22 PM, Brian Starrfield
<bstarrfi at ...1935...>wrote:

> You might want to try:
>
> output alert_syslog: host=127.0.0.1:514, LOG_AUTH LOG_ALERT
>
> Also, probably reboot to clear the socket.
>
> Check, when it comes back up, that your kiwi syslog is listening.
>
> nbtstat -A
>
> Snort works fine on Windows, but there's sometimes issues with the
> sockets, etc.
>
> Brian
>
> On Thu, May 21, 2009 at 10:12 AM, Sadanand Ghagare <sadanandgh at ...11827...>
> wrote:
> > Hi Joel,
> >
> > I have entered following line in snort.conf :
> > output alert_syslog: host=127.0.0.1:514, LOG_Local7 LOG_ALERT
> > But still not getting output in kiwi syslog server.
> > could you help me please.
> > I am using same Snort windows system for kiwi syslog server.
> > Whether I should try any different syslog daemon. is yes, which one you
> > recommend?
> >
> > Regards,
> > sadanand
> > On Wed, May 20, 2009 at 6:49 PM, Joel Esler <jesler at ...1935...>
> wrote:
> >>
> >> I suggest you take a look in your snort.conf file, look for the word
> >> "syslog".
> >>
> >> You won't want to use the -v option.
> >>
> >> Joel
> >>
> >> On Wed, May 20, 2009 at 9:00 AM, Sadanand Ghagare <sadanandgh at ...11827...
> >
> >> wrote:
> >>>
> >>> Hi Joel,
> >>>
> >>> After enabling verbose mode, I am getting some output. Following change
> I
> >>> made in snortstart.bat
> >>>
> >>> c:\snort\bin\snort -v -i2 -s -l c:\snort\log\ -c
> c:\snort\etc\snort.conf
> >>>
> >>> but still I am not getting that out put in kiwi. I am new to snort. Can
> >>> you please to let me know the steps to enable syslog output.
> >>> I have installed kiwi syslog server v8.3.52 on the same machine on
> which
> >>> I have snort installed.
> >>>
> >>> Thanks,
> >>> Sadanand
> >>> On Wed, May 20, 2009 at 6:10 PM, Joel Esler <jesler at ...1935...>
> >>> wrote:
> >>>>
> >>>> Sadanand,
> >>>>
> >>>> That's the successful completion start up lines.  I see no errors
> >>>> there.  I see nothing to indicate that you *should* be receiving
> alerts in
> >>>> Kiwi, as you don't have the syslog output enabled.  Try configuring
> that,
> >>>> and restarting Snort.
> >>>>
> >>>> Joel
> >>>>
> >>>> On Wed, May 20, 2009 at 7:05 AM, Sadanand Ghagare <
> sadanandgh at ...11827...>
> >>>> wrote:
> >>>>>
> >>>>> Hi
> >>>>>
> >>>>> I followed steps to install snort on windows 2003 standard edition.
> For
> >>>>> this, I used method of installing snort on win xp.
> >>>>> After installation, when I tried to run snortstart.bat file as per
> >>>>> steps 12, it got stuck on following prompt and I cant see snort piggy
> as
> >>>>> well not I am getting any output in Kiwi.
> >>>>>
> >>>>>         --== Initialization Complete ==--
> >>>>>
> >>>>>    ,,_     -*> Snort! <*-
> >>>>>   o"  )~   Version 2.8.4-ODBC-MySQL-FlexRESP-WIN32 GRE (Build 26)
> >>>>>    ''''    By Martin Roesch & The Snort Team:
> >>>>> http://www.snort.org/team.html
> >>>>>            Copyright (C) 1998-2009 Sourcefire, Inc., et al.
> >>>>>            Using PCRE version: 7.4 2007-09-21
> >>>>>
> >>>>>            Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.10
> >>>>> <Build 16>
> >>>>>            Preprocessor Object: SF_SSLPP  Version 1.1  <Build 2>
> >>>>>            Preprocessor Object: SF_SSH  Version 1.1  <Build 1>
> >>>>>            Preprocessor Object: SF_SMTP  Version 1.1  <Build 7>
> >>>>>            Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 11>
> >>>>>            Preprocessor Object: SF_DNS  Version 1.1  <Build 2>
> >>>>>            Preprocessor Object: SF_DCERPC  Version 1.1  <Build 4>
> >>>>>            Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 1>
> >>>>> Not Using PCAP_FRAMES
> >>>>>
> >>>>> ==============================
> >>>>> =====
> >>>>>
> >>>>> Here is my snortstart.conf file:
> >>>>>
> >>>>> c:\snort\bin\snort -i2 -s -l c:\snort\log\ -c c:\snort\etc\snort.conf
> >>>>>
> >>>>> ================================
> >>>>>
> >>>>> Here is my snort.conf file:
> >>>>>
> >>>>> #VERSION:284
> >>>>> #--------------------------------------------------
> >>>>> #   http://www.snort.org     Snort current Ruleset
> >>>>> #     Contact: snort-sigs at lists.sourceforge.net
> >>>>> #--------------------------------------------------
> >>>>> # $Id: snort.conf,v 1.183.4.6 2009/04/08 21:40:16 mwatchinski Exp $
> >>>>> #
> >>>>> ###################################################
> >>>>> # This file contains a sample snort configuration.
> >>>>> # You can take the following steps to create your own custom
> >>>>> configuration:
> >>>>> #
> >>>>> #  1) Set the variables for your network
> >>>>> #  2) Configure dynamic loaded libraries
> >>>>> #  3) Configure preprocessors
> >>>>> #  4) Configure output plugins
> >>>>> #  5) Add any runtime config directives
> >>>>> #  6) Customize your rule set
> >>>>> #
> >>>>> ###################################################
> >>>>> # Step #1: Set the network variables:
> >>>>> #
> >>>>> # You must change the following variables to reflect your local
> >>>>> network. The
> >>>>> # variable is currently setup for an RFC 1918 address space.
> >>>>> #
> >>>>> # You can specify it explicitly as:
> >>>>> #
> >>>>> # var HOME_NET 10.1.1.0/24
> >>>>> #
> >>>>> # or use global variable $<interfacename>_ADDRESS which will be
> always
> >>>>> # initialized to IP address and netmask of the network interface
> which
> >>>>> you run
> >>>>> # snort at.  Under Windows, this must be specified as
> >>>>> # $(<interfacename>_ADDRESS), such as:
> >>>>> # $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
> >>>>> #
> >>>>> # var HOME_NET $eth0_ADDRESS
> >>>>> #
> >>>>> # You can specify lists of IP addresses for HOME_NET
> >>>>> # by separating the IPs with commas like this:
> >>>>> #
> >>>>> # var HOME_NET [10.1.1.0/24,192.168.1.0/24]
> >>>>> #
> >>>>> # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
> >>>>> #
> >>>>> # or you can specify the variable to be any IP address
> >>>>> # like this:
> >>>>>
> >>>>> # Set up network addresses you are protecting.  A simple start might
> be
> >>>>> RFC1918
> >>>>> var HOME_NET any
> >>>>>
> >>>>> # Set up the external network addresses as well.  A good start may be
> >>>>> "any"
> >>>>> var EXTERNAL_NET any
> >>>>>
> >>>>> # Configure your server lists.  This allows snort to only look for
> >>>>> attacks to
> >>>>> # systems that have a service up.  Why look for HTTP attacks if you
> are
> >>>>> not
> >>>>> # running a web server?  This allows quick filtering based on IP
> >>>>> addresses
> >>>>> # These configurations MUST follow the same configuration scheme as
> >>>>> defined
> >>>>> # above for $HOME_NET.
> >>>>>
> >>>>> # List of DNS servers on your network
> >>>>> var DNS_SERVERS $HOME_NET
> >>>>>
> >>>>> # List of SMTP servers on your network
> >>>>> var SMTP_SERVERS $HOME_NET
> >>>>>
> >>>>> # List of web servers on your network
> >>>>> var HTTP_SERVERS $HOME_NET
> >>>>>
> >>>>> # List of sql servers on your network
> >>>>> var SQL_SERVERS $HOME_NET
> >>>>>
> >>>>> # List of telnet servers on your network
> >>>>> var TELNET_SERVERS $HOME_NET
> >>>>>
> >>>>> # List of snmp servers on your network
> >>>>> var SNMP_SERVERS $HOME_NET
> >>>>>
> >>>>> # List of ftp servers on your network
> >>>>> var FTP_SERVERS $HOME_NET
> >>>>>
> >>>>> # List of ssh servers on your network
> >>>>> var SSH_SERVERS $HOME_NET
> >>>>>
> >>>>> # List of pop2/3 servers on your network
> >>>>> var POP_SERVERS $HOME_NET
> >>>>>
> >>>>> # List of imap servers on your network
> >>>>> var IMAP_SERVERS $HOME_NET
> >>>>>
> >>>>> # List of SunRPC servers on your network
> >>>>> var RPC_SERVERS $HOME_NET
> >>>>>
> >>>>> # List of web servers on your network
> >>>>> var WWW_SERVERS $HOME_NET
> >>>>>
> >>>>> # AIM servers.  AOL has a habit of adding new AIM servers, so instead
> >>>>> of
> >>>>> # modifying the signatures when they do, we add them to this list of
> >>>>> servers.
> >>>>> var AIM_SERVERS
> >>>>> [
> 64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24
> ]
> >>>>>
> >>>>>
> >>>>> # Configure your service ports.  This allows snort to look for
> attacks
> >>>>> destined
> >>>>> # to a specific application only on the ports that application runs
> >>>>> on.  For
> >>>>> # example, if you run a web server on port 8081, set your HTTP_PORTS
> >>>>> variable
> >>>>> # like this:
> >>>>> #
> >>>>> # var HTTP_PORTS 8081
> >>>>> #
> >>>>> # Port lists must either be continuous [eg 80:8080], or a single port
> >>>>> [eg 80].
> >>>>> # We will adding support for a real list of ports in the future.
> >>>>>
> >>>>> # Ports you run web servers on
> >>>>> #
> >>>>> # Please note:  [80,8080] does not work.
> >>>>> # If you wish to define multiple HTTP ports, use the following
> >>>>> convention
> >>>>> # when customizing your rule set (as part of Step #6 below).  This
> >>>>> should
> >>>>> # not be done here, as the rules files may depend on the
> >>>>> classifications
> >>>>> # and/or references, which are included below.
> >>>>> #
> >>>>> ## var HTTP_PORTS 80
> >>>>> ## include somefile.rules
> >>>>> ## var HTTP_PORTS 8080
> >>>>> ## include somefile.rules
> >>>>>
> >>>>> # HTTP Ports on your network
> >>>>> portvar HTTP_PORTS [80,2301,3128,8000,8080,8180,8888]
> >>>>>
> >>>>> # Ports you want to look for SHELLCODE on.
> >>>>> portvar SHELLCODE_PORTS !80
> >>>>>
> >>>>> # Ports you do oracle attacks on
> >>>>> portvar ORACLE_PORTS 1521
> >>>>>
> >>>>> # Auth / ident
> >>>>> portvar AUTH_PORTS 113
> >>>>>
> >>>>> # DNS
> >>>>> portvar DNS_PORTS 53
> >>>>>
> >>>>> # Finger
> >>>>> portvar FINGER_PORTS 79
> >>>>>
> >>>>> # Ftp
> >>>>> portvar FTP_PORTS 21
> >>>>>
> >>>>> # Imap
> >>>>> portvar IMAP_PORTS 143
> >>>>>
> >>>>> # IRC
> >>>>> portvar IRC_PORTS [6665,6666,6667,6668,6669,7000]
> >>>>>
> >>>>> # MS-SQL
> >>>>> portvar MSSQL_PORTS 1433
> >>>>>
> >>>>> # NNTP
> >>>>> portvar NNTP_PORTS 119
> >>>>>
> >>>>> # POP2
> >>>>> portvar POP2_PORTS 109
> >>>>>
> >>>>> # POP3
> >>>>> portvar POP3_PORTS 110
> >>>>>
> >>>>> # PortMapper
> >>>>> portvar SUNRPC_PORTS
> >>>>> [111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779]
> >>>>>
> >>>>> # rlogin
> >>>>> portvar RLOGIN_PORTS 513
> >>>>>
> >>>>> # rsh
> >>>>> portvar RSH_PORTS 514
> >>>>>
> >>>>> # smb
> >>>>> portvar SMB_PORTS [139,445]
> >>>>>
> >>>>> # smtp
> >>>>> portvar SMTP_PORTS 25
> >>>>>
> >>>>> # snmp
> >>>>> portvar SNMP_PORTS 161
> >>>>>
> >>>>> # ssh
> >>>>> portvar SSH_PORTS 22
> >>>>>
> >>>>> # telnet
> >>>>> portvar TELNET_PORTS 23
> >>>>>
> >>>>> # mail this for compatability with versions of snort that support
> port
> >>>>> lists
> >>>>> portvar MAIL_PORTS [25,143,465,691]
> >>>>>
> >>>>> # SSL Ports
> >>>>> portvar SSL_PORTS [25,443,465,636,993,995]
> >>>>>
> >>>>> # DCERPC NCACN-IP-TCP
> >>>>> portvar DCERPC_NCACN_IP_TCP [139,445]
> >>>>> portvar DCERPC_NCADG_IP_UDP [138,1024:]
> >>>>> portvar DCERPC_NCACN_IP_LONG [135,139,445,593,1024:]
> >>>>> portvar DCERPC_NCACN_UDP_LONG [135,1024:]
> >>>>> portvar DCERPC_NCACN_UDP_SHORT [135,593,1024:]
> >>>>> portvar DCERPC_NCACN_TCP [2103,2105,2107]
> >>>>> portvar DCERPC_BRIGHTSTORE [6503,6504]
> >>>>>
> >>>>> # Path to your rules files (this can be a relative path)
> >>>>> # Note for Windows users:  You are advised to make this an absolute
> >>>>> path,
> >>>>> # such as:  c:\snort\rules
> >>>>> var RULE_PATH C:\snort\rules
> >>>>>
> >>>>> # Configure the snort decoder
> >>>>> # ============================
> >>>>> #
> >>>>> # Snort's decoder will alert on lots of things such as header
> >>>>> # truncation or options of unusual length or infrequently used tcp
> >>>>> options
> >>>>> #
> >>>>> #
> >>>>> # Stop generic decode events:
> >>>>> #
> >>>>> # config disable_decode_alerts
> >>>>> #
> >>>>> # Stop Alerts on experimental TCP options
> >>>>> #
> >>>>> # config disable_tcpopt_experimental_alerts
> >>>>> #
> >>>>> # Stop Alerts on obsolete TCP options
> >>>>> #
> >>>>> # config disable_tcpopt_obsolete_alerts
> >>>>> #
> >>>>> # Stop Alerts on T/TCP alerts
> >>>>> #
> >>>>> # In snort 2.0.1 and above, this only alerts when a TCP option is
> >>>>> detected
> >>>>> # that shows T/TCP being actively used on the network.  If this is
> >>>>> normal
> >>>>> # behavior for your network, disable the next option.
> >>>>> #
> >>>>> # config disable_tcpopt_ttcp_alerts
> >>>>> #
> >>>>> # Stop Alerts on all other TCPOption type events:
> >>>>> #
> >>>>> # config disable_tcpopt_alerts
> >>>>> #
> >>>>> # Stop Alerts on invalid ip options
> >>>>> #
> >>>>> # config disable_ipopt_alerts
> >>>>> #
> >>>>> # Alert if value in length field (IP, TCP, UDP) is greater than the
> >>>>> # actual length of the captured portion of the packet that the length
> >>>>> # is supposed to represent:
> >>>>> #
> >>>>> # config enable_decode_oversized_alerts
> >>>>> #
> >>>>> # Same as above, but drop packet if in Inline mode -
> >>>>> # enable_decode_oversized_alerts must be enabled for this to work:
> >>>>> #
> >>>>> # config enable_decode_oversized_drops
> >>>>> #
> >>>>> config checksum_mode: all
> >>>>> config disable_decode_alerts
> >>>>> config disable_tcpopt_experimental_alerts
> >>>>> config disable_tcpopt_obsolete_alerts
> >>>>> config disable_ttcp_alerts
> >>>>> config disable_tcpopt_alerts
> >>>>> config disable_ipopt_alerts
> >>>>> config disable_decode_drops
> >>>>>
> >>>>> # Configure the detection engine
> >>>>> # ===============================
> >>>>> #
> >>>>> # Use a different pattern matcher in case you have a machine with
> very
> >>>>> limited
> >>>>> # resources:
> >>>>> #
> >>>>> # config detection: search-method lowmem
> >>>>>
> >>>>> config detection: search-method ac-bnfa
> >>>>> config detection: max_queue_events 5
> >>>>> config event_queue: max_queue 8 log 3 order_events content_length
> >>>>>
> >>>>> # Configure Inline Resets
> >>>>> # ========================
> >>>>> #
> >>>>> # If running an iptables firewall with snort in InlineMode() we can
> now
> >>>>> # perform resets via a physical device. We grab the indev from
> iptables
> >>>>> # and use this for the interface on which to send resets. This config
> >>>>> # option takes an argument for the src mac address you want to use in
> >>>>> the
> >>>>> # reset packet.  This way the bridge can remain stealthy. If the src
> >>>>> mac
> >>>>> # option is not set we use the mac address of the indev device. If we
> >>>>> # don't set this option we will default to sending resets via raw
> >>>>> socket,
> >>>>> # which needs an ipaddress to be assigned to the int.
> >>>>> #
> >>>>> # config layer2resets: 00:06:76:DD:5F:E3
> >>>>>
> >>>>> ###################################################
> >>>>> # Step #2: Configure dynamic loaded libraries
> >>>>> #
> >>>>> # If snort was configured to use dynamically loaded libraries,
> >>>>> # those libraries can be loaded here.
> >>>>> #
> >>>>> # Each of the following configuration options can be done via
> >>>>> # the command line as well.
> >>>>> #
> >>>>> # Load all dynamic preprocessors from the install path
> >>>>> # (same as command line option --dynamic-preprocessor-lib-dir)
> >>>>> #
> >>>>> dynamicpreprocessor file
> >>>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_dce2.dll
> >>>>> dynamicpreprocessor file
> >>>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_dcerpc.dll
> >>>>> dynamicpreprocessor file
> >>>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_dns.dll
> >>>>> dynamicpreprocessor file
> >>>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_ftptelnet.dll
> >>>>> dynamicpreprocessor file
> >>>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_smtp.dll
> >>>>> dynamicpreprocessor file
> >>>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_ssh.dll
> >>>>> dynamicpreprocessor file
> >>>>> C:\Snort\lib\snort_dynamicpreprocessor\sf_ssl.dll
> >>>>>
> >>>>> # Comment out above and uncomment this if running OSX
> >>>>> #
> >>>>> #dynamicpreprocessor file
> >>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.dylib
> >>>>> #dynamicpreprocessor file
> >>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.dylib
> >>>>> #dynamicpreprocessor file
> >>>>>
> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.dylib
> >>>>> #dynamicpreprocessor file
> >>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.dylib
> >>>>> #dynamicpreprocessor file
> >>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.dylib
> >>>>> #dynamicpreprocessor file
> >>>>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.dylib
> >>>>>
> >>>>> #
> >>>>> # Load a specific dynamic preprocessor library from the install path
> >>>>> # (same as command line option --dynamic-preprocessor-lib)
> >>>>> #
> >>>>> # dynamicpreprocessor file
> >>>>> /usr/local/lib/snort_dynamicpreprocessor/libdynamicexample.so
> >>>>> #
> >>>>> # Load a dynamic engine from the install path
> >>>>> # (same as command line option --dynamic-engine-lib)
> >>>>> #
> >>>>> dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll
> >>>>> #
> >>>>> # Load all dynamic rules libraries from the install path
> >>>>> # (same as command line option --dynamic-detection-lib-dir)
> >>>>> #
> >>>>> # dynamicdetection directory /usr/local/lib/snort_dynamicrule/
> >>>>> #
> >>>>> # Load a specific dynamic rule library from the install path
> >>>>> # (same as command line option --dynamic-detection-lib)
> >>>>> #
> >>>>> # Rule packages from the VRT contain a so_rules directory that
> contains
> >>>>> these rules
> >>>>> # you need to compile them using the makefile in the rules package
> and
> >>>>> place
> >>>>> # them here and add them.
> >>>>> #
> >>>>>
> >>>>> # Uncomment if you are using the default VRT SO rules and have them
> in
> >>>>> this directory.
> >>>>> #dynamicdetection file
> /usr/local/lib/snort_dynamicrule/bad-traffic.so
> >>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/chat.so
> >>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/dos.so
> >>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/exploit.so
> >>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/imap.so
> >>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/misc.so
> >>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/multimedia.so
> >>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/netbios.so
> >>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/nntp.so
> >>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/p2p.so
> >>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/smtp.so
> >>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/sql.so
> >>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/web-client.so
> >>>>> #dynamicdetection file /usr/local/lib/snort_dynamicrule/web-misc.so
> >>>>>
> >>>>>
> >>>>> ###################################################
> >>>>> # Step #3: Configure preprocessors
> >>>>> #
> >>>>> # General configuration for preprocessors is of
> >>>>> # the form
> >>>>> # preprocessor <name_of_processor>: <configuration_options>
> >>>>>
> >>>>> # frag3: Target-based IP defragmentation
> >>>>> # --------------------------------------
> >>>>> #
> >>>>> # Frag3 is a brand new IP defragmentation preprocessor that is
> capable
> >>>>> of
> >>>>> # performing "target-based" processing of IP fragments.  Check out
> the
> >>>>> # README.frag3 file in the doc directory for more background and
> >>>>> configuration
> >>>>> # information.
> >>>>> #
> >>>>> # Frag3 configuration is a two step process, a global initialization
> >>>>> phase
> >>>>> # followed by the definition of a set of defragmentation engines.
> >>>>> #
> >>>>> # Global configuration defines the number of fragmented packets that
> >>>>> Snort can
> >>>>> # track at the same time and gives you options regarding the memory
> cap
> >>>>> for the
> >>>>> # subsystem or, optionally, allows you to preallocate all the memory
> >>>>> for the
> >>>>> # entire frag3 system.
> >>>>> #
> >>>>> # frag3_global options:
> >>>>> #   max_frags: Maximum number of frag trackers that may be active at
> >>>>> once.
> >>>>> #              Default value is 8192.
> >>>>> #   memcap: Maximum amount of memory that frag3 may access at any
> given
> >>>>> time.
> >>>>> #           Default value is 4MB.
> >>>>> #   prealloc_frags: Maximum number of individual fragments that may
> be
> >>>>> processed
> >>>>> #                   at once.  This is instead of the memcap system,
> >>>>> uses static
> >>>>> #                   allocation to increase performance.  No default
> >>>>> value.  Each
> >>>>> #                   preallocated fragment eats ~1550 bytes.
> >>>>> #
> >>>>> # Target-based behavior is attached to an engine as a "policy" for
> >>>>> handling
> >>>>> # overlaps and retransmissions as enumerated in the Paxson paper.
> >>>>> There are
> >>>>> # currently five policy types available: "BSD", "BSD-right", "First",
> >>>>> "Linux"
> >>>>> # and "Last".  Engines can be bound to standard Snort CIDR blocks or
> >>>>> # IP lists.
> >>>>> #
> >>>>> # frag3_engine options:
> >>>>> #   timeout: Amount of time a fragmented packet may be active before
> >>>>> expiring.
> >>>>> #            Default value is 60 seconds.
> >>>>> #   ttl_limit: Limit of delta allowable for TTLs of packets in the
> >>>>> fragments.
> >>>>> #              Based on the initial received fragment TTL.
> >>>>> #   min_ttl: Minimum acceptable TTL for a fragment, frags with TTLs
> >>>>> below this
> >>>>> #            value will be discarded.  Default value is 0.
> >>>>> #   detect_anomalies: Activates frag3's anomaly detection mechanisms.
> >>>>> #   policy: Target-based policy to assign to this engine.  Default is
> >>>>> Windows.
> >>>>> #   bind_to: IP address set to bind this engine to.  Default is all
> >>>>> hosts.
> >>>>> #
> >>>>> # Frag3 configuration example:
> >>>>> #preprocessor frag3_global: max_frags 65536 prealloc_frags 262144
> >>>>> #preprocessor frag3_engine: policy linux \
> >>>>> #                           bind_to [10.1.1.12/32,10.1.1.13/32] \
> >>>>> #                           detect_anomalies
> >>>>> #preprocessor frag3_engine: policy first \
> >>>>> #                           bind_to 10.2.1.0/24 \
> >>>>> #                           detect_anomalies
> >>>>> #preprocessor frag3_engine: policy last \
> >>>>> #                           bind_to 10.3.1.0/24
> >>>>> #preprocessor frag3_engine: policy bsd
> >>>>>
> >>>>> preprocessor frag3_global: max_frags 65536
> >>>>> preprocessor frag3_engine: policy windows timeout 180
> >>>>>
> >>>>> # stream5: Target Based stateful inspection/stream reassembly for
> Snort
> >>>>> #
> ---------------------------------------------------------------------
> >>>>> # Stream5 is a target-based stream engine for Snort.  Its
> functionality
> >>>>> # replaces that of Stream4.  Consequently, BOTH Stream4 and Stream5
> >>>>> # cannot be used simultaneously.  Comment out the stream4
> >>>>> configurations
> >>>>> # above to use Stream5.
> >>>>> #
> >>>>> # See README.stream5 for details on the configuration options.
> >>>>> #
> >>>>> # Example config (that emulates Stream4 with UDP support compiled in)
> >>>>> preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
> >>>>>                              track_udp yes
> >>>>> preprocessor stream5_tcp: policy windows, use_static_footprint_sizes,
> \
> >>>>>                           ports client 21 23 25 42 53 80 135 136 137
> >>>>> 139 143 110 111 445 465 513 691 1433 1521 2100 2301 3128 3306 8000
> 8080 8180
> >>>>> 8888, \
> >>>>>                           ports both 443 465 563 636 989 992 993 994
> >>>>> 995
> >>>>> preprocessor stream5_udp: ignore_any_rules
> >>>>>
> >>>>>
> >>>>> # Performance Statistics
> >>>>> # ----------------------
> >>>>> # Documentation for this is provided in the Snort Manual.  You should
> >>>>> read it.
> >>>>> # It is included in the release distribution as doc/snort_manual.pdf
> >>>>> #
> >>>>> # preprocessor perfmonitor: time 300 file /var/snort/snort.stats
> pktcnt
> >>>>> 10000
> >>>>>
> >>>>> # http_inspect: normalize and detect HTTP traffic and protocol
> >>>>> anomalies
> >>>>> #
> >>>>> # lots of options available here. See doc/README.http_inspect.
> >>>>> # unicode.map should be wherever your snort.conf lives, or given
> >>>>> # a full path to where snort can find it.
> >>>>> preprocessor http_inspect: global iis_unicode_map unicode.map 1252
> >>>>> preprocessor http_inspect_server: \
> >>>>>     server default \
> >>>>>     apache_whitespace no \
> >>>>>     ascii no \
> >>>>>     bare_byte no \
> >>>>>     chunk_length 500000 \
> >>>>>     flow_depth 1460 \
> >>>>>     directory no \
> >>>>>     double_decode no \
> >>>>>     iis_backslash no \
> >>>>>     iis_delimiter no \
> >>>>>     iis_unicode no \
> >>>>>     multi_slash no \
> >>>>>     non_strict \
> >>>>>     oversize_dir_length 500 \
> >>>>>     ports { 80 2301 3128 8000 8080 8180 8888 } \
> >>>>>     u_encode yes \
> >>>>>     non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
> >>>>>     webroot no
> >>>>>
> >>>>> #
> >>>>> #  Example unique server configuration
> >>>>> #
> >>>>> #preprocessor http_inspect_server: server 1.1.1.1 \
> >>>>> #    ports { 80 3128 8080 } \
> >>>>> #    flow_depth 0 \
> >>>>> #    ascii no \
> >>>>> #    double_decode yes \
> >>>>> #    non_rfc_char { 0x00 } \
> >>>>> #    chunk_length 500000 \
> >>>>> #    non_strict \
> >>>>> #    oversize_dir_length 300 \
> >>>>> #    no_alerts
> >>>>>
> >>>>>
> >>>>> # rpc_decode: normalize RPC traffic
> >>>>> # ---------------------------------
> >>>>> # RPC may be sent in alternate encodings besides the usual 4-byte
> >>>>> encoding
> >>>>> # that is used by default. This plugin takes the port numbers that
> RPC
> >>>>> # services are running on as arguments - it is assumed that the given
> >>>>> ports
> >>>>> # are actually running this type of service. If not, change the ports
> >>>>> or turn
> >>>>> # it off.
> >>>>> # The RPC decode preprocessor uses generator ID 106
> >>>>> #
> >>>>> # arguments: space separated list
> >>>>> # alert_fragments - alert on any rpc fragmented TCP data
> >>>>> # no_alert_multiple_requests - don't alert when >1 rpc query is in a
> >>>>> packet
> >>>>> # no_alert_large_fragments - don't alert when the fragmented
> >>>>> #                            sizes exceed the current packet size
> >>>>> # no_alert_incomplete - don't alert when a single segment
> >>>>> #                       exceeds the current packet size
> >>>>>
> >>>>> preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775
> 32776
> >>>>> 32777 32778 32779
> >>>>>
> >>>>> # bo: Back Orifice detector
> >>>>> # -------------------------
> >>>>> # Detects Back Orifice traffic on the network.
> >>>>> #
> >>>>> # arguments:
> >>>>> #   syntax:
> >>>>> #     preprocessor bo: noalert { client | server | general |
> >>>>> snort_attack } \
> >>>>> #                      drop    { client | server | general |
> >>>>> snort_attack }
> >>>>> #   example:
> >>>>> #     preprocessor bo: noalert { general server } drop { snort_attack
> }
> >>>>>
> >>>>> #
> >>>>> # The Back Orifice detector uses Generator ID 105 and uses the
> >>>>> # following SIDS for that GID:
> >>>>> #  SID     Event description
> >>>>> # -----   -------------------
> >>>>> #   1       Back Orifice traffic detected
> >>>>> #   2       Back Orifice Client Traffic Detected
> >>>>> #   3       Back Orifice Server Traffic Detected
> >>>>> #   4       Back Orifice Snort Buffer Attack
> >>>>>
> >>>>> preprocessor bo
> >>>>>
> >>>>> # telnet_decode: Telnet negotiation string normalizer
> >>>>> # ---------------------------------------------------
> >>>>> # This preprocessor "normalizes" telnet negotiation strings from
> telnet
> >>>>> and ftp
> >>>>> # traffic.  It works in much the same way as the http_decode
> >>>>> preprocessor,
> >>>>> # searching for traffic that breaks up the normal data stream of a
> >>>>> protocol and
> >>>>> # replacing it with a normalized representation of that traffic so
> that
> >>>>> the
> >>>>> # "content" pattern matching keyword can work without requiring
> >>>>> modifications.
> >>>>> # This preprocessor requires no arguments.
> >>>>> #
> >>>>> # DEPRECATED in favor of ftp_telnet dynamic preprocessor
> >>>>> #preprocessor telnet_decode
> >>>>> #
> >>>>> # ftp_telnet: FTP & Telnet normalizer, protocol enforcement and buff
> >>>>> overflow
> >>>>> #
> >>>>>
> ---------------------------------------------------------------------------
> >>>>> # This preprocessor normalizes telnet negotiation strings from telnet
> >>>>> and
> >>>>> # ftp traffic.  It looks for traffic that breaks the normal data
> stream
> >>>>> # of the protocol, replacing it with a normalized representation of
> >>>>> that
> >>>>> # traffic so that the "content" pattern matching keyword can work
> >>>>> without
> >>>>> # requiring modifications.
> >>>>> #
> >>>>> # It also performs protocol correctness checks for the FTP command
> >>>>> channel,
> >>>>> # and identifies open FTP data transfers.
> >>>>> #
> >>>>> # FTPTelnet has numerous options available, please read
> >>>>> # README.ftptelnet for help configuring the options for the global
> >>>>> # telnet, ftp server, and ftp client sections for the protocol.
> >>>>>
> >>>>> #####
> >>>>> # Per Step #2, set the following to load the ftptelnet preprocessor
> >>>>> # dynamicpreprocessor <full path to libsf_ftptelnet_preproc.so>
> >>>>> # or use commandline option
> >>>>> # --dynamic-preprocessor-lib <full path to
> libsf_ftptelnet_preproc.so>
> >>>>> preprocessor ftp_telnet: \
> >>>>>     global \
> >>>>>     encrypted_traffic yes \
> >>>>>     check_encrypted \
> >>>>>     inspection_type stateful
> >>>>>
> >>>>> preprocessor ftp_telnet_protocol: \
> >>>>>     telnet \
> >>>>>     ayt_attack_thresh 20 \
> >>>>>     normalize ports { 23 } \
> >>>>>     detect_anomalies
> >>>>>
> >>>>> preprocessor ftp_telnet_protocol: \
> >>>>>     ftp server default \
> >>>>>     def_max_param_len 100 \
> >>>>>     ports { 21 2100 } \
> >>>>>     ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE
> >>>>> STRU MODE } \
> >>>>>     ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD
> >>>>> MKD PWD } \
> >>>>>     ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \
> >>>>>     ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } \
> >>>>>     ftp_cmds { FEAT OPTS CEL CMD MACB } \
> >>>>>     ftp_cmds { MDTM REST SIZE MLST MLSD } \
> >>>>>     ftp_cmds { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
> >>>>>     alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP
> }
> >>>>> \
> >>>>>     alt_max_param_len 100 { MDTM CEL XCWD SITE USER PASS REST DELE
> RMD
> >>>>> SYST TEST STAT MACB EPSV CLNT LPRT } \
> >>>>>     alt_max_param_len 200 { XMKD NLST ALLO STOU APPE RETR STOR CMD
> RNFR
> >>>>> HELP } \
> >>>>>     alt_max_param_len 256 { RNTO CWD } \
> >>>>>     alt_max_param_len 400 { PORT } \
> >>>>>     alt_max_param_len 512 { SIZE } \
> >>>>>     chk_str_fmt { USER PASS ACCT CWD SDUP SMNT PORT TYPE STRU MODE }
> \
> >>>>>     chk_str_fmt { RETR STOR STOU APPE ALLO REST RNFR RNTO DELE RMD
> MKD
> >>>>> } \
> >>>>>     chk_str_fmt { LIST NLST SITE SYST STAT HELP } \
> >>>>>     chk_str_fmt { AUTH ADAT PROT PBSZ CONF ENC } \
> >>>>>     chk_str_fmt { FEAT OPTS CEL CMD } \
> >>>>>     chk_str_fmt { MDTM REST SIZE MLST MLSD } \
> >>>>>     chk_str_fmt { XPWD XCWD XCUP XMKD XRMD TEST CLNT } \
> >>>>>     cmd_validity MODE < char ASBCZ > \
> >>>>>     cmd_validity STRU < char FRP > \
> >>>>>     cmd_validity ALLO < int [ char R int ] > \
> >>>>>     cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [
> >>>>> number ] } > \
> >>>>>     cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
> >>>>>     cmd_validity PORT < host_port >
> >>>>>
> >>>>> preprocessor ftp_telnet_protocol: \
> >>>>>     ftp client default \
> >>>>>     max_resp_len 200 \
> >>>>>     bounce yes \
> >>>>>     telnet_cmds no
> >>>>>
> >>>>> # smtp: SMTP normalizer, protocol enforcement and buffer overflow
> >>>>> #
> >>>>>
> ---------------------------------------------------------------------------
> >>>>> # This preprocessor normalizes SMTP commands by removing extraneous
> >>>>> spaces.
> >>>>> # It looks for overly long command lines, response lines, and data
> >>>>> header lines.
> >>>>> # It can alert on invalid commands, or specific valid commands.  It
> can
> >>>>> optionally
> >>>>> # ignore mail data, and can ignore TLS encrypted data.
> >>>>> #
> >>>>> # SMTP has numerous options available, please read README.SMTP for
> help
> >>>>> # configuring options.
> >>>>>
> >>>>> #####
> >>>>> # Per Step #2, set the following to load the smtp preprocessor
> >>>>> # dynamicpreprocessor <full path to libsf_smtp_preproc.so>
> >>>>> # or use commandline option
> >>>>> # --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>
> >>>>>
> >>>>> preprocessor SMTP: \
> >>>>>     ports { 25 465 691 } \
> >>>>>     inspection_type stateful \
> >>>>>     normalize cmds \
> >>>>>     valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE
> BDAT
> >>>>> DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH
> TURN ETRN
> >>>>> PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME
> TURNME
> >>>>> VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU
> XSTA
> >>>>> XTRN XUSR } \
> >>>>>     normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN
> SIZE
> >>>>> BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML
> AUTH TURN
> >>>>> ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK
> TIME
> >>>>> TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE
> XQUEU
> >>>>> XSTA XTRN XUSR } \
> >>>>>     max_header_line_len 1000 \
> >>>>>     max_response_line_len 512 \
> >>>>>     alt_max_command_line_len 260 { MAIL } \
> >>>>>     alt_max_command_line_len 300 { RCPT } \
> >>>>>     alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
> >>>>>     alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG
> EMAL
> >>>>> ESAM ESND ESOM EVFY IDENT NOOP RSET } \
> >>>>>     alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN
> >>>>> PIPELINING CHUNKING DATA DSN RSET QUIT ONEX } \
> >>>>>     alt_max_command_line_len 246 { QUEU STARTTLS TICK TIME TURNME
> VERB
> >>>>> X-EXPS X-LINK2STATE XADR } \
> >>>>>     alt_max_command_line_len 246 { XAUTH XCIR XEXCH50 XGEN XLICENSE
> >>>>> XQUEU XSTA XTRN XUSR } \
> >>>>>     xlink2state { enable }
> >>>>>
> >>>>> # sfPortscan
> >>>>> # ----------
> >>>>> # Portscan detection module.  Detects various types of portscans and
> >>>>> # portsweeps.  For more information on detection philosophy, alert
> >>>>> types,
> >>>>> # and detailed portscan information, please refer to the
> >>>>> README.sfportscan.
> >>>>> #
> >>>>> # -configuration options-
> >>>>> #     proto { tcp udp icmp ip all }
> >>>>> #       The arguments to the proto option are the types of protocol
> >>>>> scans that
> >>>>> #       the user wants to detect.  Arguments should be separated by
> >>>>> spaces and
> >>>>> #       not commas.
> >>>>> #     scan_type { portscan portsweep decoy_portscan
> >>>>> distributed_portscan all }
> >>>>> #       The arguments to the scan_type option are the scan types that
> >>>>> the
> >>>>> #       user wants to detect.  Arguments should be separated by
> spaces
> >>>>> and not
> >>>>> #       commas.
> >>>>> #     sense_level { low|medium|high }
> >>>>> #       There is only one argument to this option and it is the level
> >>>>> of
> >>>>> #       sensitivity in which to detect portscans.  The 'low'
> >>>>> sensitivity
> >>>>> #       detects scans by the common method of looking for response
> >>>>> errors, such
> >>>>> #       as TCP RSTs or ICMP unreachables.  This level requires the
> >>>>> least
> >>>>> #       tuning.  The 'medium' sensitivity level detects portscans and
> >>>>> #       filtered portscans (portscans that receive no response).
> This
> >>>>> #       sensitivity level usually requires tuning out scan events
> from
> >>>>> NATed
> >>>>> #       IPs, DNS cache servers, etc.  The 'high' sensitivity level
> has
> >>>>> #       lower thresholds for portscan detection and a longer time
> >>>>> window than
> >>>>> #       the 'medium' sensitivity level.  Requires more tuning and may
> >>>>> be noisy
> >>>>> #       on very active networks.  However, this sensitivity levels
> >>>>> catches the
> >>>>> #       most scans.
> >>>>> #     memcap { positive integer }
> >>>>> #       The maximum number of bytes to allocate for portscan
> >>>>> detection.  The
> >>>>> #       higher this number the more nodes that can be tracked.
> >>>>> #     logfile { filename }
> >>>>> #       This option specifies the file to log portscan and detailed
> >>>>> portscan
> >>>>> #       values to.  If there is not a leading /, then snort logs to
> the
> >>>>> #       configured log directory.  Refer to README.sfportscan for
> >>>>> details on
> >>>>> #       the logged values in the logfile.
> >>>>> #     watch_ip { Snort IP List }
> >>>>> #     ignore_scanners { Snort IP List }
> >>>>> #     ignore_scanned { Snort IP List }
> >>>>> #       These options take a snort IP list as the argument.  The
> >>>>> 'watch_ip'
> >>>>> #       option specifies the IP(s) to watch for portscan.  The
> >>>>> #       'ignore_scanners' option specifies the IP(s) to ignore as
> >>>>> scanners.
> >>>>> #       Note that these hosts are still watched as scanned hosts.
> The
> >>>>> #       'ignore_scanners' option is used to tune alerts from very
> >>>>> active
> >>>>> #       hosts such as NAT, nessus hosts, etc.  The 'ignore_scanned'
> >>>>> option
> >>>>> #       specifies the IP(s) to ignore as scanned hosts.  Note that
> >>>>> these hosts
> >>>>> #       are still watched as scanner hosts.  The 'ignore_scanned'
> >>>>> option is
> >>>>> #       used to tune alerts from very active hosts such as syslog
> >>>>> servers, etc.
> >>>>> #     detect_ack_scans
> >>>>> #       This option will include sessions picked up in midstream by
> the
> >>>>> stream
> >>>>> #       module, which is necessary to detect ACK scans.  However,
> this
> >>>>> can lead to
> >>>>> #       false alerts, especially under heavy load with dropped
> packets;
> >>>>> which is why
> >>>>> #       the option is off by default.
> >>>>> #
> >>>>> # Disabled by default
> >>>>> #
> >>>>> # preprocessor sfportscan: proto  { all } \
> >>>>> #                         memcap { 10000000 } \
> >>>>> #                         sense_level { low }
> >>>>>
> >>>>> # arpspoof
> >>>>> #----------------------------------------
> >>>>> # Experimental ARP detection code from Jeff Nathan, detects ARP
> >>>>> attacks,
> >>>>> # unicast ARP requests, and specific ARP mapping monitoring.  To make
> >>>>> use of
> >>>>> # this preprocessor you must specify the IP and hardware address of
> >>>>> hosts on
> >>>>> # the same layer 2 segment as you.  Specify one host IP MAC combo per
> >>>>> line.
> >>>>> # Also takes a "-unicast" option to turn on unicast ARP request
> >>>>> detection.
> >>>>> # Arpspoof uses Generator ID 112 and uses the following SIDS for that
> >>>>> GID:
> >>>>>
> >>>>> #  SID     Event description
> >>>>> # -----   -------------------
> >>>>> #   1       Unicast ARP request
> >>>>> #   2       Etherframe ARP mismatch (src)
> >>>>> #   3       Etherframe ARP mismatch (dst)
> >>>>> #   4       ARP cache overwrite attack
> >>>>>
> >>>>> #preprocessor arpspoof
> >>>>> #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
> >>>>>
> >>>>> # ssh
> >>>>> #----------------------------------------
> >>>>> # EXPERIMENTAL CODE!!!
> >>>>> #
> >>>>> # THIS CODE IS STILL EXPERIMENTAL AND MAY OR MAY NOT BE STABLE!
> >>>>> # USE AT YOUR OWN RISK!  DO NOT USE IN PRODUCTION ENVIRONMENTS.
> >>>>> # YOU HAVE BEEN WARNED.
> >>>>> #
> >>>>> # The SSH preprocessor detects the following exploits: Gobbles, CRC
> 32,
> >>>>> # Secure CRT, and the Protocol Mismatch exploit.
> >>>>> #
> >>>>> # Both Gobbles and CRC 32 attacks occur after the key exchange, and
> are
> >>>>> # therefore encrypted.  Both attacks involve sending a large payload
> >>>>> # (20kb+) to the server immediately after the authentication
> challenge.
> >>>>> # To detect the attacks, the SSH preprocessor counts the number of
> >>>>> bytes
> >>>>> # transmitted to the server.  If those bytes exceed a pre-defined
> limit
> >>>>> # within a pre-define number of packets, an alert is generated.
> Since
> >>>>> # Gobbles only effects SSHv2 and CRC 32 only effects SSHv1, the SSH
> >>>>> # version string exchange is used to distinguish the attacks.
> >>>>> #
> >>>>> # The Secure CRT and protocol mismatch exploits are observable before
> >>>>> # the key exchange.
> >>>>> #
> >>>>> # SSH has numerous options available, please read README.ssh for help
> >>>>> # configuring options.
> >>>>>
> >>>>> #####
> >>>>> # Per Step #2, set the following to load the ssh preprocessor
> >>>>> # dynamicpreprocessor <full path to libsf_ssh_preproc.so>
> >>>>> # or use commandline option
> >>>>> # --dynamic-preprocessor-lib <full path to libsf_ssh_preproc.so>
> >>>>> #
> >>>>> #preprocessor ssh: server_ports { 22 } \
> >>>>> #                  max_client_bytes 19600 \
> >>>>> #                  max_encrypted_packets 20 \
> >>>>> #                  disable_srvoverflow \
> >>>>> #                  disable_protomismatch \
> >>>>> #                  disable_badmsgdir
> >>>>>
> >>>>> #UPDATE HERE MEW#
> >>>>> #----------------------------------------
> >>>>> # SSL Preprocessor configuration
> >>>>> #
> >>>>> preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 },
> >>>>> trustservers, noinspect_encrypted
> >>>>>
> >>>>> # DCE/RPC
> >>>>> #----------------------------------------
> >>>>> #
> >>>>> # The dcerpc preprocessor detects and decodes SMB and DCE/RPC
> traffic.
> >>>>> # It is primarily interested in DCE/RPC data, and only decodes SMB
> >>>>> # to get at the DCE/RPC data carried by the SMB layer.
> >>>>> #
> >>>>> # Currently, the preprocessor only handles reassembly of
> fragmentation
> >>>>> # at both the SMB and DCE/RPC layer.  Snort rules can be evaded by
> >>>>> # using both types of fragmentation; with the preprocessor enabled
> >>>>> # the rules are given a buffer with a reassembled SMB or DCE/RPC
> >>>>> # packet to examine.
> >>>>> #
> >>>>> # At the SMB layer, only fragmentation using WriteAndX is currently
> >>>>> # reassembled.  Other methods will be handled in future versions of
> >>>>> # the preprocessor.
> >>>>> #
> >>>>> # Autodetection of SMB is done by looking for "\xFFSMB" at the start
> of
> >>>>> # the SMB data, as well as checking the NetBIOS header (which is
> always
> >>>>> # present for SMB) for the type "SMB Session".
> >>>>> #
> >>>>> # Autodetection of DCE/RPC is not as reliable.  Currently, two bytes
> >>>>> are
> >>>>> # checked in the packet.  Assuming that the data is a DCE/RPC header,
> >>>>> # one byte is checked for DCE/RPC version (5) and another for the
> type
> >>>>> # "DCE/RPC Request".  If both match, the preprocessor proceeds with
> >>>>> that
> >>>>> # assumption that it is looking at DCE/RPC data.  If subsequent
> checks
> >>>>> # are nonsensical, it ends processing.
> >>>>> #
> >>>>> # DCERPC has numerous options available, please read README.dcerpc
> for
> >>>>> help
> >>>>> # configuring options.
> >>>>>
> >>>>> #####
> >>>>> # Per Step #2, set the following to load the dcerpc preprocessor
> >>>>> # dynamicpreprocessor <full path to libsf_dcerpc_preproc.so>
> >>>>> # or use commandline option
> >>>>> # --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>
> >>>>>
> >>>>> preprocessor dcerpc2: memcap 102400, events [smb, co, cl]
> >>>>> preprocessor dcerpc2_server: default, policy WinXP, \
> >>>>>     detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server
> 593],
> >>>>> \
> >>>>>     autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
> >>>>>     smb_max_chain 3
> >>>>>
> >>>>> # DNS
> >>>>> #----------------------------------------
> >>>>> # The dns preprocessor (currently) decodes DNS Response traffic
> >>>>> # and detects a few vulnerabilities.
> >>>>> #
> >>>>> # DNS has a few options available, please read README.dns for
> >>>>> # help configuring options.
> >>>>>
> >>>>> #####
> >>>>> # Per Step #2, set the following to load the dns preprocessor
> >>>>> # dynamicpreprocessor <full path to libsf_dns_preproc.so>
> >>>>> # or use commandline option
> >>>>> # --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>
> >>>>>
> >>>>> preprocessor dns: ports { 53 } enable_rdata_overflow
> >>>>>
> >>>>> ####################################################################
> >>>>> # Step #4: Configure output plugins
> >>>>> #
> >>>>> # Uncomment and configure the output plugins you decide to use.
> >>>>> General
> >>>>> # configuration for output plugins is of the form:
> >>>>> #
> >>>>> # output <name_of_plugin>: <configuration_options>
> >>>>> #
> >>>>> # alert_syslog: log alerts to syslog
> >>>>> # ----------------------------------
> >>>>> # Use one or more syslog facilities as arguments.  Win32 can also
> >>>>> optionally
> >>>>> # specify a particular hostname/port.  Under Win32, the default
> >>>>> hostname is
> >>>>> # '127.0.0.1', and the default port is 514.
> >>>>> #
> >>>>> # [Unix flavours should use this format...]
> >>>>> # output alert_syslog: host=127.0.0.1:514, LOG_AUTH LOG_ALERT
> >>>>> #
> >>>>> # [Win32 can use any of these formats...]
> >>>>> # output alert_syslog: LOG_AUTH LOG_ALERT
> >>>>> # output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
> >>>>> # output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
> >>>>>
> >>>>> # log_tcpdump: log packets in binary tcpdump format
> >>>>> # -------------------------------------------------
> >>>>> # The only argument is the output file name.
> >>>>> #
> >>>>> # output log_tcpdump: tcpdump.log
> >>>>>
> >>>>> # database: log to a variety of databases
> >>>>> # ---------------------------------------
> >>>>> # See the README.database file for more information about configuring
> >>>>> # and using this plugin.
> >>>>> #
> >>>>> # output database: log, mysql, user=root password=test dbname=db
> >>>>> host=localhost
> >>>>> # output database: alert, postgresql, user=snort dbname=snort
> >>>>> # output database: log, odbc, user=snort dbname=snort
> >>>>> # output database: log, mssql, dbname=snort user=snort password=test
> >>>>> # output database: log, oracle, dbname=snort user=snort password=test
> >>>>>
> >>>>> # unified: Snort unified binary format alerting and logging
> >>>>> # -------------------------------------------------------------
> >>>>> # The unified output plugin provides two new formats for logging and
> >>>>> generating
> >>>>> # alerts from Snort, the "unified" format.  The unified format is a
> >>>>> straight
> >>>>> # binary format for logging data out of Snort that is designed to be
> >>>>> fast and
> >>>>> # efficient.  Used with barnyard (the new alert/log processor), most
> of
> >>>>> the
> >>>>> # overhead for logging and alerting to various slow storage
> mechanisms
> >>>>> such as
> >>>>> # databases or the network can now be avoided.
> >>>>> #
> >>>>> # Check out the spo_unified.h file for the data formats.
> >>>>> #
> >>>>> # Two arguments are supported.
> >>>>> #    filename - base filename to write to (current time_t is
> appended)
> >>>>> #    limit    - maximum size of spool file in MB (default: 128)
> >>>>> #
> >>>>> # output alert_unified: filename snort.alert, limit 128
> >>>>> # output log_unified: filename snort.log, limit 128
> >>>>>
> >>>>>
> >>>>> # prelude: log to the Prelude Hybrid IDS system
> >>>>> # ---------------------------------------------
> >>>>> #
> >>>>> # profile = Name of the Prelude profile to use (default is snort).
> >>>>> #
> >>>>> # Snort priority to IDMEF severity mappings:
> >>>>> # high < medium < low < info
> >>>>> #
> >>>>> # These are the default mapped from classification.config:
> >>>>> # info   = 4
> >>>>> # low    = 3
> >>>>> # medium = 2
> >>>>> # high   = anything below medium
> >>>>> #
> >>>>> # output alert_prelude
> >>>>> # output alert_prelude: profile=snort-profile-name
> >>>>>
> >>>>>
> >>>>> #
> >>>>> # Include classification & priority settings
> >>>>> # Note for Windows users:  You are advised to make this an absolute
> >>>>> path,
> >>>>> # such as:  c:\snort\etc\classification.config
> >>>>> #
> >>>>>
> >>>>> include classification.config
> >>>>>
> >>>>> #
> >>>>> # Include reference systems
> >>>>> # Note for Windows users:  You are advised to make this an absolute
> >>>>> path,
> >>>>> # such as:  c:\snort\etc\reference.config
> >>>>> #
> >>>>>
> >>>>> include reference.config
> >>>>>
> >>>>> ####################################################################
> >>>>> # Step #5: Configure snort with config statements
> >>>>> #
> >>>>> # See the snort manual for a full set of configuration references
> >>>>> #
> >>>>> # config flowbits_size: 64
> >>>>> #
> >>>>> # New global ignore_ports config option from Andy Mullican
> >>>>> #
> >>>>> # config ignore_ports: <tcp|udp> <list of ports separated by
> >>>>> whitespace>
> >>>>> # config ignore_ports: tcp 21 6667:6671 1356
> >>>>> # config ignore_ports: udp 1:17 53
> >>>>>
> >>>>>
> >>>>> ####################################################################
> >>>>> # Step #6: Customize your rule set
> >>>>> #
> >>>>> # Up to date snort rules are available at http://www.snort.org
> >>>>> #
> >>>>> # The snort web site has documentation about how to write your own
> >>>>> custom snort
> >>>>> # rules.
> >>>>>
> >>>>> #=========================================
> >>>>> # Include all relevant rulesets here
> >>>>> #
> >>>>> # The following rulesets are disabled by default:
> >>>>> #
> >>>>> #   web-attacks, backdoor, shellcode, policy, porn, info, icmp-info,
> >>>>> virus,
> >>>>> #   chat, multimedia, and p2p
> >>>>> #
> >>>>> # These rules are either site policy specific or require tuning in
> >>>>> order to not
> >>>>> # generate false positive alerts in most enviornments.
> >>>>> #
> >>>>> # Please read the specific include file for more information and
> >>>>> # README.alert_order for how rule ordering affects how alerts are
> >>>>> triggered.
> >>>>> #=========================================
> >>>>>
> >>>>> include $RULE_PATH/local.rules
> >>>>> # include $RULE_PATH/bad-traffic.rules
> >>>>> include $RULE_PATH/exploit.rules
> >>>>> # include $RULE_PATH/scan.rules
> >>>>> # include $RULE_PATH/finger.rules
> >>>>> include $RULE_PATH/ftp.rules
> >>>>> include $RULE_PATH/telnet.rules
> >>>>> include $RULE_PATH/rpc.rules
> >>>>> include $RULE_PATH/rservices.rules
> >>>>> include $RULE_PATH/dos.rules
> >>>>> include $RULE_PATH/ddos.rules
> >>>>> include $RULE_PATH/dns.rules
> >>>>> # include $RULE_PATH/tftp.rules
> >>>>>
> >>>>> include $RULE_PATH/web-cgi.rules
> >>>>> include $RULE_PATH/web-coldfusion.rules
> >>>>> include $RULE_PATH/web-iis.rules
> >>>>> include $RULE_PATH/web-frontpage.rules
> >>>>> include $RULE_PATH/web-misc.rules
> >>>>> include $RULE_PATH/web-client.rules
> >>>>> include $RULE_PATH/web-php.rules
> >>>>>
> >>>>> include $RULE_PATH/sql.rules
> >>>>> include $RULE_PATH/x11.rules
> >>>>> # include $RULE_PATH/icmp.rules
> >>>>> include $RULE_PATH/netbios.rules
> >>>>> include $RULE_PATH/misc.rules
> >>>>> include $RULE_PATH/attack-responses.rules
> >>>>> include $RULE_PATH/oracle.rules
> >>>>> include $RULE_PATH/mysql.rules
> >>>>> # include $RULE_PATH/snmp.rules
> >>>>>
> >>>>> include $RULE_PATH/smtp.rules
> >>>>> include $RULE_PATH/imap.rules
> >>>>> include $RULE_PATH/pop2.rules
> >>>>> include $RULE_PATH/pop3.rules
> >>>>>
> >>>>> include $RULE_PATH/nntp.rules
> >>>>> # include $RULE_PATH/other-ids.rules
> >>>>> # include $RULE_PATH/web-attacks.rules
> >>>>> include $RULE_PATH/backdoor.rules
> >>>>> # include $RULE_PATH/shellcode.rules
> >>>>> # include $RULE_PATH/policy.rules
> >>>>> # include $RULE_PATH/porn.rules
> >>>>> # include $RULE_PATH/info.rules
> >>>>> # include $RULE_PATH/icmp-info.rules
> >>>>> # include $RULE_PATH/virus.rules
> >>>>> # include $RULE_PATH/chat.rules
> >>>>> # include $RULE_PATH/multimedia.rules
> >>>>> # include $RULE_PATH/p2p.rules
> >>>>> include $RULE_PATH/spyware-put.rules
> >>>>> include $RULE_PATH/specific-threats.rules
> >>>>> # include $RULE_PATH/experimental.rules
> >>>>> # include $RULE_PATH/content-replace.rules
> >>>>> include $RULE_PATH/voip.rules
> >>>>>
> >>>>> # If your using the so rules you need to do something like the
> >>>>> following
> >>>>> # cd into the so_rules directory where you built the so rules
> >>>>> # cat *.rules >> so-rules.rules
> >>>>> # cp to $RULE_PATH/so-rules.rules
> >>>>> # uncomment this line
> >>>>> # include $RULE_PATH/so-rules.rules
> >>>>>
> >>>>> # Include any thresholding or suppression commands. See
> threshold.conf
> >>>>> in the
> >>>>> # <snort src>/etc directory for details. Commands don't necessarily
> >>>>> need to be
> >>>>> # contained in this conf, but a separate conf makes it easier to
> >>>>> maintain them.
> >>>>> # Note for Windows users:  You are advised to make this an absolute
> >>>>> path,
> >>>>> # such as:  c:\snort\etc\threshold.conf
> >>>>> # Uncomment if needed.
> >>>>> # include threshold.conf
> >>>>>
> >>>>> =================================================
> >>>>>
> >>>>> --
> >>>>>
> >>>>>
> >>>>> Thanks & Regards
> >>>>>
> >>>>> Sadanand G.
> >>>>>
> >>>>>
> >>>>>
> ------------------------------------------------------------------------------
> >>>>> Crystal Reports - New Free Runtime and 30 Day Trial
> >>>>> Check out the new simplified licensing option that enables
> >>>>> unlimited royalty-free distribution of the report engine
> >>>>> for externally facing server and web deployment.
> >>>>> http://p.sf.net/sfu/businessobjects
> >>>>> _______________________________________________
> >>>>> Snort-users mailing list
> >>>>> Snort-users at lists.sourceforge.net
> >>>>> Go to this URL to change user options or unsubscribe:
> >>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
> >>>>> Snort-users list archive:
> >>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974
> >>>
> >>>
> >>>
> >>> --
> >>>
> >>>
> >>> Thanks & Regards
> >>>
> >>> Sadanand G.
> >>
> >>
> >>
> >> --
> >> joel esler | Sourcefire | gtalk: jesler at ...1935... | 302-223-5974
> >
> >
> >
> > --
> >
> >
> > Thanks & Regards
> >
> > Sadanand G.
> >
> >
> ------------------------------------------------------------------------------
> > Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT
> > is a gathering of tech-side developers & brand creativity professionals.
> > Meet
> > the minds behind Google Creative Lab, Visual Complexity, Processing, &
> > iPhoneDevCamp asthey present alongside digital heavyweights like
> Barbarian
> > Group, R/GA, & Big Spaceship. http://www.creativitycat.com
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
>
> --
> Brian Starrfield
> Manager, Proserv
> 440-666-9688
> brian.starrfield at ...1935...
>



-- 


Thanks & Regards

Sadanand G.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090522/1e41c726/attachment.html>


More information about the Snort-users mailing list